Researchers have discovered security vulnerabilities in Bluetooth chips manufactured by Airoha. These chips are used by a large number of manufacturers.
The vulnerabilities allow malicious parties to eavesdrop via Bluetooth or steal sensitive data such as contact lists and call history.
The problem affects 29 devices from brands such as Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel. These include products such as headphones, speakers, and microphones. In some cases, attackers within Bluetooth range can even take control of a device.
During the TROOPERS conference in Germany, security researchers from the German company ERNW presented three vulnerabilities in the Airoha chips that are widely used in True Wireless Stereo earbuds.
The three vulnerabilities identified are related to missing authentication in Bluetooth services, both in classic and modern connection types. The most serious of these allows exploitation of a specific, custom-made protocol. Using a test setup, ERNW was able to read the current audio stream of a target, among other things.
Insight into call history and contact details
Although eavesdropping on music may not seem particularly alarming, the researchers demonstrate that the same vulnerabilities can be exploited to take over a Bluetooth connection. Using the Hands-Free Profile, it is then possible to control phones, for example to start or answer calls. On some devices, it was even possible to read call history and contact details.
In one of the demonstrations, the researchers managed to start a phone call and then listen in on everything that was happening in the vicinity of the device. They were also able to rewrite the firmware of the affected device. This opens the door to attacks in which malicious code can automatically spread to other devices.
However, such attacks are difficult to carry out in practice. They require not only specialist knowledge, but also that the attacker is close to the victim. According to the researchers, the risk of large-scale abuse is limited. But for people in sensitive professions, such as diplomats, journalists, or activists, it could indeed pose a threat.
Airoha has since released a new version of its software development kit (SDK) that fixes the problems. Manufacturers of affected devices are developing and distributing updates. However, according to Heise Online, many firmware updates for these devices date from before May 27, while Airoha only made the updated SDK available after that date. This means that many devices are still vulnerable to the attacks described.